OpenSSL Patches Multiple Critical Vulnerabilities Across Ubuntu LTS Releases
Canonical has released security updates addressing multiple OpenSSL vulnerabilities affecting Ubuntu 14.04 through 26.04 LTS, including heap buffer over-reads, CMS authentication bypasses, and denial-of-service flaws. The patches resolve issues in ASN.1 parsing, PKCS#12 integrity checks, and QUIC handling.
TL;DR
- Four CVEs fixed in OpenSSL affecting Ubuntu LTS releases: heap buffer over-read (CVE-2026-34180), PKCS#12 HMAC bypass (CVE-2026-34181), CMS authentication bypass (CVE-2026-34182), and QUIC handling DoS (CVE-2026-34183)
- Heap buffer over-read in ASN.1 parsing could enable information disclosure or denial of service
- CMS AuthEnvelopedData forgery allows attackers to bypass message authentication checks
- NULL pointer dereferences in password-based CMS decryption and CRMF decryption trigger denial of service
- QUIC-related flaws including unbounded memory growth and initial packet handling issues affect Ubuntu 25.10 and 26.04 LTS
Canonical has released coordinated security updates addressing multiple vulnerabilities in OpenSSL across Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 25.10, and 26.04 LTS. The vulnerabilities span memory safety issues, cryptographic authentication bypasses, and protocol-level denial-of-service conditions.
The flaws affect core OpenSSL functionality including ASN.1 content parsing, CMS message handling, PKCS#12 file processing, and QUIC protocol implementation. Attackers could exploit these issues to crash services, bypass security checks, or extract sensitive information depending on the specific vulnerability and deployment context.
Memory Safety and Information Disclosure
- CVE-2026-34180: Heap buffer over-read in ASN.1 content parsing discovered by Frank Buss; enables denial of service or potential information disclosure
- CVE-2026-42766: NULL pointer dereference in password-based CMS decryption causes denial of service
- CVE-2026-42767: NULL pointer dereference in CRMF EncryptedValue decryption causes denial of service
Cryptographic Authentication Bypasses
- CVE-2026-34181: PKCS#12 files with short HMAC keys incorrectly accepted when using PBMAC1; allows integrity check bypass (Ubuntu 25.10 and 26.04 LTS only)
- CVE-2026-34182: OpenSSL accepts forged CMS AuthEnvelopedData messages, enabling message authentication bypass
QUIC Protocol Vulnerabilities
- CVE-2026-34183: Unbounded memory growth in QUIC PATH_CHALLENGE handler enables remote denial of service (Ubuntu 25.10 and 26.04 LTS only)
- CVE-2026-34184: NULL pointer dereference in QUIC server initial packet handling enables remote denial of service
Affected Versions and Remediation
- Updates available for Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS via USN-8414-2
- Additional fixes for Ubuntu 25.10 and 26.04 LTS via USN-8414-1
- Organizations should apply patches immediately to mitigate exploitation risk
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.